Date: Wed, 26 Apr 2006 17:16:10 -0400 From: Stephen Clark <Stephen.Clark@seclark.us> To: Stephen.Clark@seclark.us Cc: stable@freebsd.org, Robert Watson <rwatson@FreeBSD.org> Subject: Re: Freebsd Stable 6.x ipsec slower than with 4.9 Message-ID: <444FE31A.7030803@seclark.us> In-Reply-To: <444FD105.1050108@seclark.us> References: <444E2503.9090506@seclark.us> <6.2.3.4.0.20060425093417.068dfc08@64.7.153.2> <444E5608.4050704@seclark.us> <6.2.3.4.0.20060425134955.051d58d0@64.7.153.2> <444F750C.7070206@seclark.us> <444FAE19.3060404@errno.com> <444FD105.1050108@seclark.us>
next in thread | previous in thread | raw e-mail | index | archive | help
Stephen Clark wrote: >Sam Leffler wrote: > > > >>Stephen Clark wrote: >> >> >> >> >>>Mike Tancsa wrote: >>> >>> >>> >>> >>> >>>>At 01:02 PM 25/04/2006, Stephen Clark wrote: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>>Try first >>>>>>sysctl -w net.inet.tcp.inflight.enable=0 >>>>>> >>>>>>If its still slower, try using FAST_IPSEC instead on the server. >>>>>>However, make sure you disable INET6 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>That increased it to 39mbits/sec. Still far from 54mbits/sec >>>>> >>>>> >>>>> >>>>> >>>>> >>>>Are all of the TCP params (compare sysctl -a net.inet.tcp on both )and >>>>application defaults still the same on both systems ? One that that >>>>for sure is not in RELENG_4 is SACK. Try disabling that and see if >>>>there is a difference. >>>> >>>> ---Mike >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>I checked the sysctl's between the two system and where the match they >>>are the same. The raw transfer rate ~94mbits/sec is the same as I was >>>getting between the systems when they were both 4.9. The real >>>difference appears to be in ipsec. The other thing that is interesting >>>is the idle time when I am running this test on the 6.x system is about >>>70% when it was a 4.9 system getting 54mbits/sec the idle time was only >>>50-55%. >>> >>>I am reluctant to try fast ipsec because of problems I had when I tried >>>it under 4.9, it didn't work with our existing sites. >>> >>> >>> >>> >>There are known locking bottlenecks in the crypto subsystem that fast >>ipsec depends on. This is consistent with idle time going up. >> >>Not sure when they'll be fixed but I know they're important to at least >>one person. >> >> Sam >>_______________________________________________ >>freebsd-stable@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-stable >>To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >> >> >> >> >> >Hi Sam, > >I am going to try the fast ipsec. > >Regards, >Steve > > Good news with fast ipsec I am back to 53mbits/sec. Thanks everyone, Steve -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin) "The course of history shows that as a government grows, liberty decreases." (Thomas Jefferson)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?444FE31A.7030803>